Tracking Current and Future Botnets

Matt Sergeant

Since 2004 when the outbreak of the MyDoom virus installed botnet spamware software on the victim’s PCs, we have been identifying and tracking various forms of spamming botnets. The most recent large scale example of this is the Srizbi botnet, which numbers in the hundreds of thousands of actively spamming IP addresses, potentially indicating millions of infected machines.

Botnets behave in specific ways which often allow them to be identified. By fingerprinting specific bots we are able to maintain a database of millions of IPs participating in the botnets. By doing so we can track the rise and fall of specific botnets, such as the meteoric rise seen by the Storm botnet, and the very sudden drop-off as various anti-spam outfits, including the Microsoft Malicious Software Removal team, rose up to the challenge of cleaning up the Storm infestation.

This talk will detail ways in which these botnets can be detected, both in an email setting and from a network operations viewpoint, including such activities as the use of TCP fingerprinting to identify unusual bot practices, the use of inbound traffic filtering, and even some simple pattern matching. Practical information about securing your network against these kinds of activities will be given. Furthermore we will discuss various activities within the global anti-spam community that are being undertaken to help reduce the impact of these botnets and reduce the capacity of the miscreants who own and run them.